upgrading snakeyaml to version 1.33
356 views
Skip to first unread message
Anoop Chitreddy
Dec 13, 2022, 12:25:21 AM12/13/22
to WildFly
Hi,
We are currently using wildfly-26.1.2.Final built using wildfly feature pack. Recently we received a warning from our dependency check tool indicating that
org.yaml.snakeyaml-1.31.jar is triggering a Medium severity CVE https://nvd.nist.gov/vuln/detail/CVE-2022-41854
We would be safe to upgrade snakeyaml to version 1.33. I am asking this question because the module file for snakeyaml in wildfly is marking it as a private dependency
------------------------------------------------------------------------------------------------------------------------
<module name="org.yaml.snakeyaml" xmlns="urn:jboss:module:1.9">
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="snakeyaml-1.31.jar"/>
</resources>
<dependencies>
<module name="java.desktop"/>
<module name="java.logging"/>
<!--WFLY-14219 Remove deprecated <module name="javax.api"/> -->
</dependencies>
</module>
------------------------------------------------------------------------------------------------------------------------ <properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="snakeyaml-1.31.jar"/>
</resources>
<dependencies>
<module name="java.desktop"/>
<module name="java.logging"/>
<!--WFLY-14219 Remove deprecated <module name="javax.api"/> -->
</dependencies>
</module>
Appreciate your help.
Anoop
Anoop
Brian Stansberry
Dec 13, 2022, 3:54:14 PM12/13/22
to WildFly
We haven't specifically tested this but I expect moving from 1.31 to 1.33 should work fine. Of course you want to test your own use. The Snakeyaml changelog at https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes isn't showing anything terribly scary.
Reply all
Reply to author
Forward
0 new messages